[nsp] known networks for broadcast ping attacks

David P. Maynard dpm at flametree.com
Tue Aug 12 11:04:29 UTC 1997

Eric Wieling wrote:
> We recently implemented outbound filters for our network.  It's
> rather draconion, but it's effectiveand we've had no complaints yet. 
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.
> [...]
> We also block all inbound inbound ICMP 0/0 (echo request) and and a
> bunch of other things.
> --Eric

You should probably allow more ICMP types.  In particular, allowing the ones used by Path MTU discovery will make your life easier.  Trying to track down bizarre sounding connection problems that turn out to be Path MTU discovery failures can make for an interesting day, but it gets old after awhile.  I think there was a discussion here a few weeks ago on ICMP filters, so I would check the archives for details.


 David P. Maynard, Flametree Corporation
 EMail: dpm at flametree.com,  Tel: +1 512 670 4090,  Fax: +1 512 251 8308

More information about the NANOG mailing list